“In this vulnerability an anti-phishing mechanism wasn’t implemented properly in some web browsers, and like in many other cases, improper implementation renders the mechanism ineffective, in this case exposing users to phishing attacks that are hard to identify. In most of the cases these scenarios end with account takeover, where the attacker obtains control of the user’s account.

In order to protect website users, forcing them to use strong passwords and to replace them frequently is insufficient, since in this case it would be completely ineffective to prevent the attack. Site administrators should assume that the credentials of some of their users were stolen (which in almost 100% of the cases will be true), and take adequate measures to identify account takeover, like irregular device, irregular geo-location or abnormal activity in the account.”